1. Field of the Invention
The present invention generally relates to electronic circuits and, more specifically, to integrated circuits comprising one or several elements of non-volatile storage of static data, that is, data which are not supposed to be modified. The present invention more specifically applies to the protection of such data against hacking attempts, and especially to flag-type data, that is, data which condition the integrated circuit operation by selection of an operating mode based on a limited number of bits.
2. Discussion of the Related Art
FIG. 1 very schematically shows in the form of blocks an example of an integrated electronic circuit 1 of the type to which the present invention applies. In this example, the circuit comprises a data processing unit 11 (for example, a central processing unit CPU), one or several memories 12 (MEM) among which at least one non-volatile memory element 13 (NVM). Other hardware or software functions may be added to circuit 1 and are symbolized in FIG. 1 by a block 14 (FCT). The different circuits internal to circuit 1 communicate together over one or several data, control, and address buses 15 as well as over direct links (supposed, for simplification, to be comprised in buses 15) between the different elements. Most often, circuit 1 communicates with the output via an input-output circuit 16 (I/O) connected to all or part of buses 15 and used as an interface between the inside and the outside of the circuit.
The present invention relates to the protection of data contained in one or several internal elements, typically of non-volatile storage, both against a discovery of these data and against a modification of their value to intervene on the integrated circuit operation. Such attacks are generally used to discover secret quantities (ciphering, identification or authentication key) or programs supposed to remain secret (specific algorithms). Most often, the attacker tries to switch the electronic circuit to a test mode operation which is in principle not accessible after the end of the manufacturing. Such an operating mode provides him an access to the data forbidden in user mode. More generally, the modification of a state provided by a non-volatile storage element may enable a person attempting fraud to exit a circuit protection program.
The non-volatile storage elements preferentially concerned by the present invention are, for example, elements of fuse type, of ROM type, or of EEPROM type which are supposed to contain static data.
The present invention more specifically aims at the protection of such data against so-called probe attacks, that is, intrusive actions on the circuit aiming at detecting or modifying the state of static data by a direct action.
FIG. 2 very schematically and partially illustrates an example of implementation of such an attack. The integrated circuit is partially shown in cross-section view to show its substrate 20 from which are formed the active areas (ACTIVE) of the circuits and upper conductive levels M1, M2, M3 in which are formed the interconnects between these circuits, as well as the contact recovery pads. In particular, buses 15 are formed in such interconnect levels, generally metallic.
When a datum is stored in static form (especially a fuse flag), a disadvantage as to the security of this datum is that it is visible by optical observation. To mask this visibility, a mechanical screen 21 formed of a last metallization level Mn placed on an insulating level 22 above the last interconnect level of the internal circuits is generally provided.
A probe attack comprises, for a person attempting fraud, eliminating all or part of protection screen 21, then contacting by means of one or several conductive probes p pads 27 or interconnect paths 15 formed in the underlying metallization levels. The other ends of the probes are connected to a measurement device 25 (MES) enabling either reading the state of the signal transiting on the interconnect conductor, or reversing this state. As indicated hereabove, such a reversal may enable exiting a protected operating mode to enter an operating mode enabling the attacker to then read, for example, by means of interface circuit 16, data supposed to remain inside the circuit.
The fuse elements are as buried as possible (for example, in first metallization level M1) to try being masked by interconnect conductors 15. In the case of EEPROM-type storage elements, said elements are formed in active portion 20 of the circuit and the states are available on the connections having these states transit to an element receiving these states (for example, unit 11 or a function 14) only in a reading.
However, the mere fact for the interconnects to be accessible for a probe contact may be sufficient for the attacker to detect or modify the state when read by other circuit functions.